<!DOCTYPE html>
<html lang="en">
<head>
    
    
    
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="title" property="title" content="Threat Signal Report" />
    <meta name="description" property="description" content="FortiGuard Labs is aware of a new report of a new malware for Linux observed in the wild. Dubbed Shikitega, its attack flow involves multiple modul..." />

    <meta http-equiv="X-UA-Compatible" content="IE=edge">

     <meta name="twitter:card" property="twitter:card" content="summary" />
    <meta name="twitter:title" property="twitter:title" content="Fortiguard" />
    <meta name="twitter:url" property="twitter:url" content="https://fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines" />
    <meta name="twitter:description" property="twitter:url" content="FortiGuard Labs is aware of a new report of a new malware for Linux observed in the wild. Dubbed Shikitega, its attack flow involves multiple modul..." />
    <meta name="twitter:image" property="twitter:image" content="/static/fortiguard.png?v=8493" />
    <meta name="og:type" property="og:type" content="article" />
    <meta name="og:site_name" property="og:site_name" content="FortiGuard" />
    <meta name="og:locale" property="og:locale" content="" />
    <meta name="og:title" property="og:title" content="Fortiguard" />
        <meta name="og:url" property="og:url" content="https://fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines" />
    <meta name="og:description" property="og:description" content="FortiGuard Labs is aware of a new report of a new malware for Linux observed in the wild. Dubbed Shikitega, its attack flow involves multiple modul..." />
    <meta name="og:image" property="og:image" content="/static/fortiguard.png?v=8493" />


    <link rel="shortcut icon" href="/static/images/favicon.ico?v=8493" type="image/x-icon" />

    <title>Threat Signal Report | FortiGuard</title>

    
    <link rel="stylesheet" href="/static/styles/vendor.min.css?v=8493">
    <link rel="stylesheet" href="/static/styles/style.min.css?v=8493">

    <script src="/static/scripts/vendor.min.js?v=8493"></script>
    
       
        <style>
            /* Hacks to deal with mm-slider and bootstrap colliding with eachother */
            .mm-slideout {
                z-index: inherit;
            }
            .modal {
                color: #000;
            }
            /* End Hacks */
        </style>
    
</head>




<body ng-app="fgd" class="threat-signal">



<header>
    
    <div id="main-nav">
        <nav class="desktop-nav d-none d-xl-block">
            <div class="container">
                <div class="row">
                    <div class="col-xl-3 col-lg-2 logo">
                        <a href="/">
                            <img src="/static/images/fortiguard-logo.svg?v=8493"
                                 alt="fortiguard-logo">
                        </a>
                    </div>
                    <div class="col-xl-9 col-lg-10">
                        <ul>
                            <li>
                                <a href="#" class="main-menu">News / Research</a>
                                
                                <div class="header-hover md header-hover-news">
                                    <div class="menu-panel dropdown-news">
    <div class="container">
        <div class="row">
            <div class="col-6">
            </div>
            <div class="col-6">
                <h3>News / Research</h3>
                <ul>
                    <li><a href="/resources/threat-brief">Weekly Threat Briefs</a></li>
                    <li><a href="/zeroday">Zero Day</a></li>
                    <li><a href="/events">Research Centre</a></li>
                    
                    <li><a href="/threat-signal-report">Threat Signal</a></li>
                    <li><a href="https://www.fortinet.com/blog/threat-research.html" target="_blank">Security Blog</a></li>
                    <li><a href="/threat-research">Threat Analytics</a></li>
                    <li><a href="/playbook">Threat Playbooks</a></li>
                    <li><a href="/outbreak-alert">Outbreak Alert</a></li>
                </ul>
                
            </div>
        </div>
    </div>
</div>
                                </div>
                            </li>
                            <li>
                                <a href="#" class="main-menu">Services</a>
                                
                                <div class="header-hover lg header-hover-services">
                                    <div class="menu-panel dropdown-services">
    <div class="container">
        <div class="row">
            <div class="col-4"></div>
            <div class="col-8">
                <div class="round">
                    <p class="noselect">
                        View by Product
                    </p>
                    <input type="checkbox" id="toggleProducts"/>
                    <span class="toggleProductsOuter">
                        <label for="toggleProducts"></label>
                    </span>
                </div>
            </div>
        </div>
        <div class="row">
            <div class="col-4"></div>
            <div class="col-8">
                <div class="row1">
                    <div class="col-group-1">
                        <div class="col-1">
                            <ul>
                                <li>
                                    <h3>Network</h3>
                                    <img src="/static/images/icons/network.svg?v=8493" alt="Network">
                                </li>
                                <li>
                                    <a href="/services/ips">Intrusion Protection</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/arae">Anti-Recon and Anti-Exploit</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/sdns">Secure DNS</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/botnet">IP Reputation/Anti-Botnet</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/ioc">Indicators of Compromise</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/ipge">IP Geolocation Service</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/cwpvuln">Cloud Workload Security Service</a>
                                </li>
                                <li class="emptyitem"></li>

                            </ul>
                        </div>
                        <div class="col-3">
                            <ul>
                                <li>
                                    <h3>Content and Endpoint</h3>
                                    <img src="/static/images/icons/contentendpoint.svg?v=8493"
                                         alt="Content and Endpoint">

                                </li>
                                
                                    <li>
                                        <a href="/services/fedr">Endpoint Detection & Response</a>
                                        
                                    </li>
                                
                                
                                <li>
                                    <a href="/services/antivirus">Anti-Virus</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/ev">Endpoint Vulnerability</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/dds">Device Detection</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/fortindr">ANN and NDR</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/sandbox">Sandbox Behavior Engine</a>
                                </li>
                                <li class="emptyitem"></li>
                            </ul>
                        </div>
                    </div>
                    <div class="col-group-2">
                        <div class="col-2">
                            <ul>
                                <li>
                                    <h3>Application</h3>
                                    <img src="/static/images/icons/application.svg?v=8493"
                                         alt="Application">
                                </li>
                                <li>
                                    <a href="/services/wf">Web Filtering</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/antispam">Anti-Spam</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/appcontrol">Application Control</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/is">Industrial Security Services</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/ws">FortiWeb Application Security</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/csd">Credential Stuffing Defense</a>
                                </li>
                                
                                    <li>
                                        <a href="/services/fadc-waf">FortiADC WAF Security</a>
                                        
                                    </li>
                                
                                
                                    <li>
                                        <a href="/services/fct-app">FortiClient Application
                                            Firewall</a>
                                        
                                    </li>
                                
                                <li class="emptyitem">
                                </li>

                            </ul>
                        </div>
                        <div class="col-4">
                            <ul>
                                <li>
                                    <h3>
                                        Response
                                    </h3>
                                    <img src="/static/images/icons/response.svg?v=8493" alt="Response">
                                </li>
                                <li>
                                    <a href="/services/fortitester">FortiTester</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/secr">Security Rating Service</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/pentesting">Pen Testing Service</a>
                                    
                                </li>
                                <li>
                                    <a href="/services/ods">Outbreak Detection Service</a>

                                </li>
                            </ul>
                        </div>
                    </div>
                </div>
            </div>
        </div>
        <div class="row visually-hidden toggledProducts">
            <div class="col-4">
            </div>
            <div class="col-8">
                <div class="row">
                    <div class="col-4">
                        <ul>
                            <li>
                                <h3>
                                    FortiGate
                                </h3>
                                <img src="/static/images/icons/fortigate.svg?v=8493" alt="FortiGate">
                            </li>
                            <li>
                                <a href="/services/antivirus">Anti-Virus</a>
                                
                            </li>
                            <li>
                                <a href="/services/appcontrol">Application Control</a>
                                
                            </li>
                            
                            <li>
                                <a href="/services/botnet">IP Reputation/Anti-botnet</a>
                                
                            </li>
                            <li>
                                <a href="/services/dds">Device Detection</a>
                                
                            </li>
                            <li>
                                <a href="/services/is">Industrial Security Services</a>
                                
                            </li>
                            
                            <li>
                                <a href="/services/ipge">IP Geolocation Service</a>
                                
                            </li>
                            <li>
                                <a href="/services/ips">Intrusion Protection</a>
                                
                            </li>
                            <li>
                                <a href="/services/sdns">Secure DNS</a>
                                
                            </li>
                            <li>
                                <a href="/services/secr">Security Rating Service</a>
                                
                            </li>
                            <li>
                                <a href="/services/wf">Web Filtering</a>
                                
                            </li>
                            <li class="emptyitem"></li>
                            <li>
                                <h3>
                                    FortiDeceptor
                                </h3>
                                <img src="/static/images/icons/fortideceptor.svg?v=8493"
                                     alt="FortiDeceptor">
                            </li>
                            <li>
                                <a href="/services/arae">Anti-Recon and Anti-Exploit</a>
                                
                            </li>
                            <li>
                                <a href="/services/antivirus">Anti-Virus</a>
                                
                            </li>
                            <li class="emptyitem">
                            </li>

                        </ul>
                    </div>
                    <div class="col-4">
                        <ul>
                            <li>
                                <h3>
                                    FortiClient
                                </h3>
                                <img src="/static/images/icons/forticlient.svg?v=8493"
                                     alt="FortiClient">
                            </li>
                            <li>
                                <a href="/services/antivirus">Anti-Virus</a>
                                
                            </li>
                            
                                <li>
                                    <a href="/services/fct-app">Application Firewall</a>
                                    
                                </li>
                            
                            <li>
                                <a href="/services/ev">Endpoint Vulnerability</a>
                                
                            </li>
                            <li>
                                <a href="/services/wf">Web Filtering</a>
                                
                            </li>
                            <li>
                                <a href="/services/ips">Intrusion Protection</a>
                                
                            </li>
                            <li class="emptyitem">
                            </li>
                            <li>
                                <h3>
                                    FortiMail
                                </h3>
                                <img src="/static/images/icons/fortimail.svg?v=8493" alt="FortiMail">
                            </li>
                            <li>
                                <a href="/services/antispam">Anti-Spam</a>
                                
                            </li>
                            <li>
                                <a href="/services/antivirus">Anti-Virus</a>
                                
                            </li>
                            <li>
                                <a href="/services/wf">Web Filtering</a>
                                
                            </li>
                            <li class="emptyitem">
                            </li>
                            <li>
                                <h3>
                                    FortiEDR
                                </h3>
                                <img src="/static/images/icons/fedr.svg?v=8493"
                                     alt="content Endpoint and Response">
                            </li>
                            <li>
                                <a href="/services/fedr">EndPoint Detection and Response</a>
                            </li>
                            <li class="emptyitem"></li>
                            <li>
                                <h3>FortiADC WAF Security</h3>
                                <img src="/static/images/icons/fadc.svg?v=8493"
                                     alt="FortiADC WAF Security">
                            </li>
                            <li>
                                <a href="/services/antivirus">Anti-Virus</a>
                            </li>
                        </ul>
                    </div>
                    <div class="col-4">
                        <ul>
                            <li>
                                <h3>
                                    FortiAnalyzer/FortiSIEM
                                </h3>
                                <img src="/static/images/icons/fortianalyzer.svg?v=8493"
                                     alt="FortiAnalyzer">
                            </li>
                            <li>
                                <a href="/services/ioc">Indicators of Compromise</a>
                                
                            </li>
                            <li class="emptyitem">
                            </li>
                            <li>
                                <h3>
                                    FortiCWP
                                </h3>
                                <img src="/static/images/icons/cwp.svg?v=8493"
                                     alt="FortiCWP">
                            </li>
                            <li>
                                <a href="/services/cwpvuln">Vulnerability Service</a>
                            </li>
                            <li class="emptyitem">
                            </li>
                            <li>
                                <h3>
                                    FortiWeb
                                </h3>
                                <img src="/static/images/icons/fortiweb.svg?v=8493" alt="FortiWeb">
                            </li>
                            <li>
                                <a href="/services/ws">FortiWeb Application Security</a>
                                
                            </li>
                            <li>
                                <a href="/services/botnet">IP Reputation/Anti-Botnet</a>
                                
                            </li>
                            <li>
                                <a href="/services/antivirus">Anti-Virus</a>
                                
                            </li>
                            <li>
                                <a href="/services/csd">Credential Stuffing Defense</a>
                            </li>
                            <li class="emptyitem">
                            </li>
                            <ul>
                                <li>
                                    <h3>
                                        FortiNDR
                                    </h3>
                                    <img src="/static/images/icons/fortindr.svg?v=8493" alt="FortiNDR">
                                </li>
                                <li>
                                    <a href="/services/fortindr">ANN and NDR</a>
                                    
                                </li>
                                <li class="emptyitem">
                                </li>
                                <li>
                                    <h3>
                                        FortiSandbox
                                    </h3>
                                    <img src="/static/images/icons/sandbox.svg?v=8493"
                                         alt="sandbox">
                                </li>
                                <li>
                                    <a href="/services/sandbox">Sandbox Behavior Engine</a>
                                </li>
                                <li class="emptyitem">
                                </li>
                                <li>
                                    <h3>
                                        FortiTester
                                    </h3>
                                    <img src="/static/images/icons/fortitester.svg?v=8493"
                                         alt="FortiTester">
                                </li>
                                <li>
                                    <a href="/services/fortitester">FortiTester</a>
                                    
                                </li>
                            </ul>
                    </div>
                </div>
            </div>
        </div>
    </div>
</div>
                                </div>
                            </li>
                            
                            <li>
                                <a href="#" class="main-menu">Threat Lookup</a>
                                
                                <div class="header-hover sm single header-hover-threats">
                                    <div class="menu-panel dropdown-threats">
    <div class="container">
        <div class="row">
            <div class="col-6"></div>
            <div class="col-6">
                <h3>Threat Lookup</h3>
                <ul>
                    <li><a href="/encyclopedia">Threat Encyclopedia</a></li>
                    <li><a href="/webfilter">Web Filtering</a></li>
                    <li><a href="/appcontrol">Application Control</a></li>
                </ul>
            
            </div>
        </div>
    </div>
</div>
                                </div>
                            </li>
                            <li>
                                <a href="#" class="main-menu">PSIRT</a>
                                
                                <div class="header-hover sm single header-hover-psirt">
                                    <div class="menu-panel dropdown-psirt">
    <div class="container">
        <div class="row">
            <div class="col-6"></div>
            <div class="col-6">
                <h3>PSIRT</h3>
                <ul>
                    <li><a href="/psirt">PSIRT Advisories</a></li>
                    <li><a href="/psirt_policy">PSIRT Policy</a></li>
                    <li><a href="https://www.fortinet.com/blog/psirt-blogs" target="_blank">PSIRT Blog</a></li>
                    <li><a href="/faq/psirt-contact">PSIRT Contact</a></li>
                </ul>
            </div>
        </div>
    </div>
</div>
                                </div>
                            </li>
                            <li class="menu-last">
                                <a href="#" class="main-menu">Resources</a>
                                
                                <div class="header-hover md header-hover-resources">
                                    <div class="menu-panel dropdown-resources">
    <div class="container">
        <div class="row">
            <div class="col-6"></div>
            <div class="col-6">
                <h3>Resources</h3>
                <div class="row">
                    <div class="col-6">
                        <ul>
                            <li><a href="/security-best-practices">Security Best Practices</a></li>
                            <li><a href="/contactus">Contact Us</a></li>
                            <li><a href="/faq">FAQ</a></li>
                            <li><a href="/tools">Useful Tools</a></li>
                            <li><a href="/service-status">FDN Service Status</a></li>
                            
                            <li><a href="/mitre-mapping">MITRE ATT&CK Matrix</a></li>
                            
                        </ul>
                    </div>
                    <div class="col-6">
                        <ul>
                            <li><a href="/cta">Cyber Threat Alliance</a></li>
                            <li><a href="https://threatmap.fortiguard.com" target="_blank">Threat Map</a></li>
                            <li><a href="/premium-services">Premium Services</a></li>
                            <li><a href="https://www.fortinet.com/resources.html" target="_blank">Product Information</a></li>
                            <li><a href="/rss-feeds">RSS Feeds</a></li>
                        </ul>
                    </div>
                </div>
            
            </div>
        </div>
    </div>
</div>
                                </div>
                            </li>
                            <li class="header-search-header">
                                <form action="/search" method="get">
                                    <span class="search_flat">
                                        <label for="search_field_header" class="d-none">Search</label>
                                        <input id="search_field_header"
                                               type="text"
                                               class="search_field"
                                               value=""
                                               placeholder="Search FortiGuard"
                                               name="q"
                                               required="required"
                                               autocomplete="off"/>
                                        <input type="submit" value=" "/>
                                        <div class="global_search-popup">
                                            
                                                <div class="search-popup-item">
                                                    <input type="radio"
                                                           name="engine"
                                                           id="all_home"
                                                           class="search-input-option"
                                                           value="1"
                                                           checked="checked"/>
                                                    <label class="search-input-label" for="all_home">
                                                        Normal
                                                    </label>
                                                </div>
                                            
                                                <div class="search-popup-item">
                                                    <input type="radio"
                                                           name="engine"
                                                           id="exact_home"
                                                           class="search-input-option"
                                                           value="2"
                                                           />
                                                    <label class="search-input-label" for="exact_home">
                                                        Exact Match
                                                    </label>
                                                </div>
                                            
                                                <div class="search-popup-item">
                                                    <input type="radio"
                                                           name="engine"
                                                           id="cve_home"
                                                           class="search-input-option"
                                                           value="3"
                                                           />
                                                    <label class="search-input-label" for="cve_home">
                                                        CVE Lookup
                                                    </label>
                                                </div>
                                            
                                                <div class="search-popup-item">
                                                    <input type="radio"
                                                           name="engine"
                                                           id="threat_home"
                                                           class="search-input-option"
                                                           value="4"
                                                           />
                                                    <label class="search-input-label" for="threat_home">
                                                        ID Lookup
                                                    </label>
                                                </div>
                                            
                                                <div class="search-popup-item">
                                                    <input type="radio"
                                                           name="engine"
                                                           id="vid_home"
                                                           class="search-input-option"
                                                           value="5"
                                                           />
                                                    <label class="search-input-label" for="vid_home">
                                                        Zero-Day Lookup
                                                    </label>
                                                </div>
                                            
                                                <div class="search-popup-item">
                                                    <input type="radio"
                                                           name="engine"
                                                           id="psirt_home"
                                                           class="search-input-option"
                                                           value="6"
                                                           />
                                                    <label class="search-input-label" for="psirt_home">
                                                        PSIRT Lookup
                                                    </label>
                                                </div>
                                            
                                                <div class="search-popup-item">
                                                    <input type="radio"
                                                           name="engine"
                                                           id="repms_home"
                                                           class="search-input-option"
                                                           value="8"
                                                           />
                                                    <label class="search-input-label" for="repms_home">
                                                        Antispam Lookup
                                                    </label>
                                                </div>
                                            
                                                <div class="search-popup-item">
                                                    <input type="radio"
                                                           name="engine"
                                                           id="outbreak-alert_home"
                                                           class="search-input-option"
                                                           value="9"
                                                           />
                                                    <label class="search-input-label" for="outbreak-alert_home">
                                                        Outbreak Alert Lookup
                                                    </label>
                                                </div>
                                            
                                        </div>
                                    </span>
                                </form>
                            </li>
                        </ul>
                    </div>
                </div>
            </div>
        </nav>
        <nav class="navbar navbar-expand-xl navbar-light d-block d-xl-none mobile-nav ">
            <div class="container p-0">
                <a class="navbar-brand" href="/">
                    <img src="/static/images/fortiguard-logo.svg?v=8493"
                         alt="fortiguard-logo">
                </a>
                <button class="navbar-toggler"
                        type="button"
                        data-bs-toggle="collapse"
                        data-bs-target="#navbarNavDropdownMain"
                        aria-controls="navbarNavDropdownMain"
                        aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <div class="collapse navbar-collapse" id="navbarNavDropdownMain"><ul class="navbar-nav">
    <li class="nav-item">
        <a class="nav-link dropdown-toggle"
           href="#"
           id="navbarScrollingDropdownNews"
           role="button"
           data-bs-toggle="dropdown"
           aria-expanded="false">
        News / Research</a>
        <ul class="dropdown-menu" aria-labelledby="navbarScrollingDropdownNews">
            <li>
                <a class="dropdown-item" href="/resources/threat-brief">Weekly Threat Briefs</a>
            </li>
            <li>
                <a class="dropdown-item" href="/zeroday">Zero Day</a>
            </li>
            <li>
                <a class="dropdown-item" href="/events">Research Centre</a>
            </li>
            <li>
                <a class="dropdown-item"
                   href="https://www.fortinet.com/blog/threat-research.html"
                   target="_blank">Security Blog</a>
            </li>
            
                <li>
                    <a class="dropdown-item" href="/outbreak-alert">Outbreak Alert</a>
                </li>
            
            <li>
                <a class="dropdown-item"
                   href="/threat-research">Threat Analytics</a>
            </li>
            <li>
                <a class="dropdown-item" href="/playbook">Threat Playbooks</a>
            </li>
            <li>
                <a class="dropdown-item" href="/threat-signal-report">Threat Signal</a>
            </li>
        </ul>
    </li>
    <li class="nav-item">
        <a class="nav-link dropdown-toggle"
           href="#"
           id="navbarScrollingDropdownServices"
           role="button"
           data-bs-toggle="dropdown"
           aria-expanded="false">Services</a>
        <ul class="dropdown-menu"
            aria-labelledby="navbarScrollingDropdownServices">
            <li>
                <a class="dropdown-item" href="/services/ips">Intrusion Protection</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/arae">Anti-Recon and Anti-Exploit</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/sdns">Secure DNS</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/botnet">IP Reputation/Anti-Botnet</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/ioc">Indicators of Compromise</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/ipge">IP Geolocation Service</a>
            </li>
            
                <li>
                    <a class="dropdown-item" href="/services/fedr">EDR</a>
                </li>
            
            <li>
                <a class="dropdown-item" href="/services/antivirus">Anti-Virus</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/ev">Endpoint Vulnerability</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/dds">Device Detection</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/fortindr">ANN</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/wf">Web Filtering</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/antispam">Anti-Spam</a>
            </li>
            <li>
                <a class="dropdown-item"
                   href="/services/appcontrol">Application Control</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/is">Industrial Security Services</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/ws">FortiWeb Application Security</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/csd">Credential Stuffing Defense</a>
            </li>
            
                <li>
                    <a class="dropdown-item" href="/services/fadc-waf">FortiADC WAF Security</a>
                </li>
            
            
                <li>
                    <a class="dropdown-item" href="/services/fct-app">FortiClient Application Firewall</a>
                </li>
            
            <li>
                <a class="dropdown-item"
                   href="/services/fortitester">FortiTester</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/secr">Security Rating Service</a>
            </li>
            <li>
                <a class="dropdown-item"
                   href="/services/pentesting">Pen Testing service</a>
            </li>
            <li>
                <a class="dropdown-item"
                   href="/services/sandbox">Sandbox Behavior Engine Service</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/cwpvuln">Cloud Workload Security Service</a>
            </li>
            <li>
                <a class="dropdown-item" href="/services/ods">Outbreak Detection Service</a>
            </li>
        </ul>
    </li>
    <li class="nav-item">
        <a class="nav-link dropdown-toggle"
           href="#"
           id="navbarScrollingDropdownThreatLookup"
           role="button"
           data-bs-toggle="dropdown"
           aria-expanded="false">Threat Lookup</a>
        <ul class="dropdown-menu"
            aria-labelledby="navbarScrollingDropdownThreatLookup">
            <li>
                <a class="dropdown-item" href="/encyclopedia">Threat Encyclopedia</a>
            </li>
            <li>
                <a class="dropdown-item" href="/webfilter">Web Filtering</a>
            </li>
            <li>
                <a class="dropdown-item" href="/appcontrol">Application Control</a>
            </li>
        </ul>
    </li>
    <li class="nav-item">
        <a class="nav-link dropdown-toggle"
           href="#"
           id="navbarScrollingDropdownPSIRT"
           role="button"
           data-bs-toggle="dropdown"
           aria-expanded="false">PSIRT</a>
        <ul class="dropdown-menu" aria-labelledby="navbarScrollingDropdownPSIRT">
            <li>
                <a class="dropdown-item" href="/psirt">PSIRT Advisories</a>
            </li>
            <li>
                <a class="dropdown-item" href="/psirt_policy">PSIRT Policy</a>
            </li>
            <li>
                <a class="dropdown-item"
                   href="https://www.fortinet.com/blog/psirt-blogs">PSIRT Blog</a>
            </li>
            <li>
                <a class="dropdown-item" href="/faq/psirt-contact">PSIRT Contact</a>
            </li>
        </ul>
    </li>
    <ul class="nav-item">
        <a class="nav-link dropdown-toggle"
           href="#"
           id="navbarScrollingDropdownResources"
           role="button"
           data-bs-toggle="dropdown"
           aria-expanded="false">Resources</a>
        <ul class="dropdown-menu"
            aria-labelledby="navbarScrollingDropdownResources">
            <li>
                <a class="dropdown-item" href="/tools">Useful Tools</a>
            </li>
            <li>
                <a class="dropdown-item" href="/service-status">FDN Service Status</a>
            </li>
            <li>
                <a class="dropdown-item" href="/cta">Cyber Threat Alliance</a>
            </li>
            <li>
                <a class="dropdown-item"
                   href="https://threatmap.fortiguard.com"
                   target="_blank">Threat Map</a>
            </li>
            <li>
                <a class="dropdown-item" href="/premium-services">Premium Services</a>
            </li>
            <li>
                <a class="dropdown-item"
                   href="https://www.fortinet.com/resources.html"
                   target="_blank">Product Information</a>
            </li>
            <li>
                <ul class="dropdown-menu"
                    aria-labelledby="navbarScrollingDropdownThreatUpdates">
                    <span>Threat Updates</span>
                    <ul class="dropdown-menu"
                        aria-labelledby="navbarScrollingDropdownThreatUpdates">
                        <li>
                            <a class="dropdown-item" href="/updates/antivirus">Anti-Virus</a>
                        </li>
                        <li>
                            <a class="dropdown-item" href="/updates/mobile">Mobile Service</a>
                        </li>
                        <li>
                            <a class="dropdown-item" href="/updates/ips">Intrusion Protection</a>
                        </li>
                        <li>
                            <a class="dropdown-item" href="/updates/app">App Control</a>
                        </li>
                        <li>
                            <a class="dropdown-item" href="/updates/antispam">Anti-Spam</a>
                        </li>
                        <li>
                            <a class="dropdown-item"
                               href="/updates/webfiltering">Web Filter</a>
                        </li>
                        <li>
                            <a class="dropdown-item" href="/updates/websecurity">FortiWeb Application Security</a>
                        </li>
                        <li>
                            <a class="dropdown-item" href="/updates/epvuln">Endpoint Vuln Protection</a>
                        </li>
                    </ul>
                </li>
                <li>
                    <a class="dropdown-item"
                       href="/security-best-practices">Security Best Practices</a>
                </li>
                <li>
                    <a class="dropdown-item" href="/contactus">Contact Us</a>
                </li>
                <li>
                    <a class="dropdown-item"
                       href="https://www.fortinet.com/corporate/about-us/legal.html"
                       target="_blank">Legal</a>
                </li>
                <li>
                    <a class="dropdown-item"
                       href="https://www.fortinet.com/corporate/about-us/privacy.html"
                       target="_blank">Privacy</a>
                </li>
                <li>
                    <a class="dropdown-item" href="/faq">FAQ</a>
                </li>
                <li>
                    <a class="dropdown-item" href="/partners">Partners</a>
                </li>
                <li>
                    <a class="dropdown-item" href="/faq/generalcontact">Feedback</a>
                </li>
                <li>
                    <a class="dropdown-item" href="/rss-feeds">RSS Feeds</a>
                </li>
            </ul>
        </li>
        </ul>
    </ul>
</ul></div>
            </div>
        </nav>
    </div>
</header>

<div class="page-content">
    

        

        <div class="page-section  ">
            

    <div class="container ">
        
            

            
        

        <div class="row">
            <div class="col-md-12">
                
                    <!-- FIXME -->
                    <nav aria-label="breadcrumb">
    <ul class="breadcrumb lg">
    
        <li class="breadcrumb-item">►
                <a href="/">Home</a>
            
        </li>
    
        <li class="breadcrumb-item">
                <a href="/threat-signal-report">Threat Signal Report</a>
            
        </li>
    
        <li class="breadcrumb-item">
                New Shikitega Malware Targets Linux Machines
            
        </li>
    
    </ul>
</nav>
                
            </div>
        </div>

        
            
    <div id="sidebarmobile"
         class="responsive_sidebar">
        
    </div>
    <div id="two-column" class="row">
        <div class="col-md-3 col-xs-12 col-sm-12 sidebarparent ">

            <div class="col-md-12 sidebar magnifying-glass">
                <div class="sidebar-header threat-bg"></div>
                <div class="sidebar-content">
                    
                    
    
        <table class="table table-responsive table-borderless threat-signal-report">
            
                <tr>
                    <td>ID</td>
                    <td>69</td>
                </tr>
            

            
                <tr>
                    <td>Date</td>
                    <td>Sep 08, 2022</td>
                </tr>
            

            

            
            <tr>
                <td>CVE ID</td>
                <td>
                
                    
                    
                    <a href="https://www.cve.org/CVERecord?id=CVE-2021-3493" rel="nofollow noopener noreferrer" target="_blank">CVE-2021-3493</a><br/>
                
                    
                    
                    <a href="https://www.cve.org/CVERecord?id=CVE-2021-4034" rel="nofollow noopener noreferrer" target="_blank">CVE-2021-4034</a><br/>
                
                </td>
            </tr>
            

            
                <tr>
                    <td>Threat/<br>Vulnerability</td>
                    <td>Backdoor</td>
                </tr>
            

            
                <tr>
                    <td>TLP Level</td>
                    <td>
                        <div>
                            <span class="white-circle">
                                <i class="fa fa-circle" aria-hidden="true"></i>
                            </span>

                            <span class="green-circle"><i class="fa fa-circle" aria-hidden="true"></i></span>
                            <span class="amber-circle"><i class="fa fa-circle" aria-hidden="true"></i></span>
                            <span class="red-circle"><i class="fa fa-circle" aria-hidden="true"></i></span>

                            
                                <div><i class="fa fa-caret-up" aria-hidden="true" style="margin-left: 8px;"></i></div>
                            
                            
                            
                            
                        </div>
                    </td>
                </tr>
            

            
                <tr>
                    <td>FortiGate Device Triggered</td>
                    <td>n/a</td>
                </tr>
            

            

            
                <tr>
                    <td>Threat Actor Type</td>
                    <td>Unknown</td>
                </tr>
            

            
                <tr>
                    <td>Threat Level</td>
                    <td>
                        
                            <span>MED</span>
                        
                        
                    </td>
                </tr>
            

        </table>
    

                </div>
            </div>

        

        

        </div>


        
        <div class="col-md-9 middlecontent col-xs-12 col-sm-12">
            <div class="toolsmobile  pull-right clearfix">
                <ul>
                    <li class="mobilefilter"><a href="#sidebarmobile"><img
                            src="/static/images/icons/filter.png?v=8493" alt="filter"/> Refine Search</a></li>
                </ul>
            </div>
            <div class="padded">
                <div class="pagetitlewrapper">
                    <h1 class="pagetitle">
                        
                            <img src="/static/images/icons/signal-report.svg?v=8493"
                                 alt="" title=""/>
                        
                        <span></span>  Threat Signal Report 
                    </h1>
                    
                </div>
                <section class="ency_content">
                    
    
    
        <div class="detail-item">
            
            <h2 class="title">New Shikitega Malware Targets Linux Machines</h2>
            
                
            
        </div>

        

        
            <div class="detail-item">
                <h3><img src="/static/images/icons/description.svg?v=8493" alt="description-logo" width="55"/> Description</h3>
                <p>FortiGuard Labs is aware of a new report of a new malware for Linux observed in the wild. Dubbed Shikitega, its attack flow involves multiple modules that are downloaded from a Command and Control (C2) server. Each module has its own purpose and is responsible for downloading and executing the next module. The goal of Shikitega is to deploy XMRig cryptominer, taking control of the compromised Linux machine. <br></p><p><br></p><p><span style="font-weight: bold;">Why is this Significant?</span><br></p><p>This is significant because Shikitega is a new Linux malware that is designed to take a full control of a compromised machine. It uses variety of attack arsenals: "Shikata Ga Nai" ("it cannot be helped" in Japanese) polymorphic shellcode encoder to evade detection from AV products, exploits for a couple of vulnerabilities for privilege escalation, a Metasploit meterpreter called "Mettle" that enables the attacker to perform a wide range of malicious activities on the infected machine, and XMRig cryptominer for mining Monero. </p><p><br></p><p><br></p><p><span style="font-weight: bold;">What is Shikitega Malware?</span></p><p>Shikitega is a malware that is designed to run on Linux machines and consists of small modules.</p><p>The Shikitega's infection chain starts with a single dropper containing a payload obfuscated by "Shikata Ga Nai" polymorphic encoder. Once the payload is decrypted and executed, it does not only download the next module from its C2 server but also downloads another dropper module and run them. One new module is a Metasploit meterpreter called "Mettle" that allows the attacker to perform malicious activities on the infected machine such as taking a control of webcams and executing shell commands. The other module is also encoded using "Shikata Ga Nai" and is responsible for downloading another module and executing it with root privileges by exploiting two vulnerabilities (CVE-2021-4034 and CVE-2021-3493). The next module is XMrig, which is a legitimate but oft-abused cryptominer for Monero cryptocurrency. </p><p><br></p><p><br></p><p><span style="font-weight: bold;">What Vulnerabilities does Shikitega Exploit?</span></p><p>Shikitega exploits CVE-2021-4034 and CVE-2021-3493 for privilege escalation. </p><p><br></p><p>CVE-2021-4034 is a vulnerability in the polkit packages that provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Successful exploitation of the vulnerability an attacker with local network access to gain elevated privileges. The vulnerability has a CVSS score of 7.8 and is included in CISA's Known Exploited Vulnerabilities Catalog.</p><p><br></p><p>CVE-2021-3493 is a flaw in the Linux kernel which the overlayfs stacking file system did not properly validate the application of file system capabilities with respect to user namespaces. Successful exploitation of the vulnerability an attacker with local network access to gain elevated privileges. The vulnerability has a CVSS score of 7.4.</p><p><br></p><p><br></p><p><span style="font-weight: bold;">Are Patches Available for CVE-2021-4034 and CVE-2021-3493?</span></p><p>Yes, both vulnerabilities have been fixed.</p><p><br></p><p><br></p><p><span style="font-weight: bold;">What is the Status of Coverage?</span></p><p>FortiGuard Labs provides the following AV coverage against available samples:</p><p><br></p><p></p><ul><li>PossibleThreat</li><li>Linux/CVE_2021_3493.A!tr</li><li>Linux/CVE_2021_4034.G!tr</li></ul><p></p><p><br></p><p>FortiGuard Labs is currently investigating additional coverage for CVE-2021-4034 and CVE-2021-3493. This Threat Signal will be updated when update becomes available.</p>
            </div>
        

        

        
            <div class="detail-item">
                <h3><i class="fa fa-book" aria-hidden="true" style="margin-right:10px; font-size:24px;"></i> Appendix</h3>
                <p><a href="https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux">Shikitega - New stealthy malware targeting Linux</a> (Alien Labs)</p><p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034">CVE-2021-4034</a> (MITRE)<br></p><p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3493">CVE-2021-3493</a> (MITRE)</p>
            </div>
            <br>
        


        
        <div class="detail-item">
            <h3><i class="fa fa-list-alt" aria-hidden="true" style="margin-right:10px; font-size:24px;"></i> Definitions</h3>
            <div class="row">
                <div class="col-md-12">
                    <h4>Traffic Light Protocol</h4>
                    <div class="more-text">
                        <table class="table table-responsive table-hover table-bordered">
                            <thead>
                            <tr>
                                <th class="col-md-3">Color</th>
                                <th>When Should it Be used?</th>
                                <th>How may it be shared?</th>
                            </tr>
                            </thead>
                            <tbody>
                            <tr>
                                <td class="red"><h4>TLP: RED</h4> Not for disclosure, restricted to participants only.</td>
                                <td>Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.</td>
                                <td>Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.</td>
                            </tr>
                            <tr>
                                <td class="amber"><h4>TLP: AMBER</h4> Limited disclosure, restricted to participants’ organizations.</td>
                                <td>Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.</td>
                                <td>Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.</td>
                            </tr>
                            <tr>
                                <td class="green"><h4>TLP: GREEN</h4> Limited disclosure, restricted to the community.</td>
                                <td>Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.</td>
                                <td>Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.</td>
                            </tr>
                            <tr>
                                <td class="white"><h4>TLP: WHITE</h4> Disclosure is not limited.</td>
                                <td>Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.</td>
                                <td>Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.</td>
                            </tr>
                            </tbody>
                        </table>
                    </div>
                </div>
            </div>
        </div>
        
    
    


                </section>
            </div>
        </div>
    </div>

        

    </div>

        </div>

    
</div>



<footer>
    <div class="container">
        <div class="row">
            <div class="col-md-4">
                <p class="footer-logo"><a href="https://www.fortinet.com" target="_blank">
                    <img src="/static/images/fortinet-footer-logo.svg?v=8493" alt="fortinet-logo-footer" />
                </a></p>
            </div>
            <div class="col-md-6">
                <div class="bottom-nav">
                    <ul>
                        <li class="contact">
                            <a href="/contactus">Contact Us</a>
                        </li>
                        <li class="legal">
                            <a href="https://www.fortinet.com/corporate/about-us/legal.html" target="_blank">Legal</a>
                        </li>
                        <li class="privacy">
                            <a href="https://www.fortinet.com/corporate/about-us/privacy.html" target="_blank">Privacy</a>
                        </li>
                        <li class="faq">
                            <a href="/faq">FAQ</a>
                        </li>
                        <li class="partners">
                            <a href="/partners">Partners</a>
                        </li>
                        <li class="feedback">
                            <a href="/faq/general-contact">Feedback</a>
                        </li>
                        <!--
                        <li class="language"><a href="#">Language: EN</a>
                            <div class="footer-hover lang-selector">
                                English
                            </div>
                        </li>
                        -->
                    </ul>
                </div>
            </div>
            <div class="col-md-2">    
                <ul class="social">
                    <li><a href="https://www.facebook.com/FortiGuard.Labs" target="_blank"><img
                                    src="/static/images/facebook_icon_footer.svg?v=8493" alt="facebook-icon-footer" /></a></li>
                    <li><a href="https://twitter.com/FortiGuardLabs" target="_blank"><img
                                    src="/static/images/twitter_icon_footer.svg?v=8493" alt="twitter-icon-footer"/></a></li>
                    <li><a href="https://www.linkedin.com/showcase/3668640/" target="_blank"><img
                                    src="/static/images/linkedin_icon_footer.svg?v=8493" alt="linkedin-icon-footer" /></a></li>
                    <li><a href="/rss-feeds"><img src="/static/images/rss_icon_footer.svg?v=8493" alt="rss-icon-footer" /></a></li>
                </ul>
            </div>
        </div>
        <div class="row">
            <div class="col-md-12">
                <p>Copyright © 2022 Fortinet, Inc. All Rights Reserved.</p>
            </div>
        </div>
    </div>
</footer>





<script src="/static/scripts/app.min.js?v=8493"></script>
<script src="/static/scripts/global.min.js?v=8493"></script>
<script src="/static/scripts/services.min.js?v=8493"></script>




    
    <script src="https://filestore.fortinet.com/scripts/privacy.min.js?c=76702745" async></script>




    <!-- Piwik -->
   

           
       
    <!-- End Piwik Code -->







</body>
</html>